3/9/2023

Building an Effective Enterprise Software Supply Chain Policy

Author: Cole Kennedy

Rusty robot

Implementing an effective supply chain policy for software products is essential for ensuring the integrity and security of the software supply chain. To create such a policy, multiple levels of policy should be considered, starting with the organizational policy.

Organizational Policy

The organizational policy is a foundational document that outlines a company's principles and goals, including risk management and security practices. It serves as a guide for decision-making, ensuring that employees and stakeholders understand their responsibilities and the consequences of non-compliance. The policy establishes a framework for governance, outlining the roles and responsibilities of key stakeholders and providing oversight and accountability. It also promotes consistency and fairness in the workplace and ensures compliance with legal and regulatory requirements. To achieve an effective policy framework, organizations can use specific frameworks like ISO 9001, ISO 27001, NIST Cybersecurity Framework, COBIT, ITIL, and the COSO Framework. These frameworks provide guidance on developing policies and procedures that can improve organizational performance, reduce risk, and promote a culture of trust and transparency.

Supply Chain Policy

A supply chain policy that focuses on specific requirements and practices of the software supply chain while aligning with the organization's overall goals and objectives is critical. However, additional industry-specific policies, such as government regulations or compliance requirements, may impose additional requirements or restrictions on the software supply chain that must be adhered to.

To ensure secure processes in creating software artifacts, the supply chain policy should require software producers to attest to the processes used, including information attesting to the composition, provenance, and integrity of the software. These attestations provide verification that the software meets acceptable risk thresholds for the target network, thereby mitigating the risk of supply chain attacks.

In addition to verifying the processes used to create software artifacts, the supply chain policy should also model the expected quality, security, and reliability levels of the artifact consumed by end-users or systems. The policy should outline these expectations and ensure that all parties involved in the software supply chain adhere to these standards. The policy should also specify the attestations that must be created throughout the software development process, from design to delivery.

By modeling expectations of the artifact delivered through attestations, the supply chain policy provides a standardized approach to software supply chain management. This ensures that all stakeholders understand and meet the requirements necessary to deliver secure and trustworthy software products to end-users or systems. It is worth noting that while Software Supply Chain Security has only recently received attention, documents such as NIST SSDF and SLSA provide guidance on implementation and can be used as references to improve the supply chain policy.

Automating Attestations

Securing software supply chains is a complex and expensive task. With multiple organizations, approvals, dependencies, and moving parts involved, it can create vulnerabilities and risks. Fortunately, automation can provide a solution. Automating the process of creating and collecting attestations can significantly reduce the cost of risk reduction in software supply chain security. By using standardized templates and predefined rules, organizations can ensure the accuracy and consistency of the information collected, making it easier and less expensive to collect and verify the necessary data.

Moreover, automating attestations provides stakeholders with better visibility into the process, ensuring that the software development and certification process is happening according to specifications. This level of monitoring can reduce delays and continuously monitor the security posture of the software supply chain.

Flowchart depicting the relationship between policies, processes, and attestations in a decision-making framework.

The in-toto Framework

One way to standardize attestations in software supply chain management is by using the in-toto framework. The in-toto framework is an open-source project that provides a standard way to define the steps in a software supply chain, from development to delivery. It allows stakeholders to specify the attestations required at each step and ensures that the software supply chain meets the expected quality, security, and reliability standards.

The in-toto framework provides a common language for software producers and consumers to communicate requirements and expectations, allowing for a more efficient and streamlined process. It also provides a way to track and verify the software supply chain's security posture, reducing the risk of potential attacks.

Witness and Archivista

If you're looking for a way to standardize your attestations, you should check out TestifySecs supported implementation of in-toto, Witness. It's an open-source project that provides a secure and reliable way to create and verify attestations. Additionally, we offer Archivista, an attestation database that provides a centralized location for storing and managing attestations.

By using in-toto Witness and Archivista in your supply chain policy, you can streamline your software supply chain management and ensure that your software product is secure and reliable. So, take the necessary steps to protect your end-users and systems from potential risks and vulnerabilities by securing your software supply chain.